CST8265 – Web Security Basics

Lab-2
By : Mohammad Nazrul Ishlam Patoary, Ph.D.
Fall - 2023
 WebGoat’s: Access control matrix
 In a role-based access control scheme, a role represents a set of access
permissions and privileges.
 A user can be assigned one or more roles.
 A role-based access control scheme normally consists of two parts: role
permission management and role assignment.
 A broken role-based access control scheme might allow a user to perform
accesses that are not allowed by his/her assigned roles, or somehow
allow privilege escalation to an unauthorized role.
 WebGoat’s activity: Each user is a member of a role that is allowed to
access only certain resources. Your goal is to explore the access control
rules that govern this site.
 Only the [Admin] group should have access to the 'Account Manager'
resource.
 Larry [User, Manager] is a user, should not get access to Account
Mnagager…..
Bypass a Path Based Access Control Scheme
 The goal of this lesson is to access a page which is not allowed for the
“guest” user to view. We are given a list of files to select from and can
be viewed by the guest user.
 The 'guest' user has access to all the files in the lesson_plans directory.
 Try to break the access control mechanism and access a resource that is
not in the listed directory. After selecting a file to view, WebGoat will
report if access to the file was granted.
 The vulnerability is that the “File” parameter allows to include special
characters using which the other directory file paths can be accessed
using ../../
 Say, I want to access main.jsp file located in
C:\WebGoat\.extract\webapps\WebGoat\
 Steps to complete:
 Need to run ZAP proxy. Start zap and configure firefox.
 Intercepts
 Edit request  raw  File=../../main.jsp&SUBMIT=View+File
 Authentication flaws: password strength
 The Accounts of your Web application are only as save as the
passwords.
 If you want to protect them against brute-force-attacks your
application should have passwords.
 The password should contain lower case letters, capitals and
numbers. The longer the password, the better.
 For this exercise, your job is to test several passwords on. You
must test all 5 passwords at the same time....
 Password = 123456: 0 seconds
Password = abzfez: 1394 seconds
Password = a9z1ez: 5 hours
Password = aB8fEz: 2 days
Password = z8!E?7: 41 days
 Authentication flaws: Forgot password
 Web applications frequently provide their users the ability to
retrieve a forgotten password.
 Unfortunately, many web applications fail to implement the
mechanism properly. The information required to verify the
identity of the user is often overly simplistic.
 Users can retrieve their password if they can answer the secret
question properly.
 Your username is 'webgoat' and your favorite color is 'red'. The
goal is to retrieve the password of another user.
 What about admin user???
 Try for red, blue, green….
 Authentication flaws: multilevel login
 A Multi-Level Login should provide a strong authentication.
 After having logged in with your user name and password, you are asked for
a 'Transaction Authentication Number' (TAN).
 You get a list with a lots of TANs generated only for you by the bank. Each
TAN is used only once.
 Stage 1: User : Jane and Password: tarzan and TAN 1 = 15648
 Now you are a hacker who already has stolen some information from Jane
by a phishing mail. You have the password which is tarzan and the Tan #1
which is 15648
 The problem is that the first tan is already used... try to break into the
system anyway.
 Stage 2: The first step in this stage is equal to Stage 1. Log in as Joe with
banana as password. Now you will be asked for a TAN. Unfortunately you
have only a already used TAN from the victim.
 you will be asked to enter tan #2: As Jane already used tan is 15648 you just
need to intercept by webscarab/ZAP and put Jane instead of Joe with one
valid TAN.
 Flaw: Hidden user field value. it allows different user in second stage. . .
Parameter tampering: Exploit Hidden Fields
 Try to purchase the HDTV for less than the purchase price, if you have not
done so already.
 Developers will use hidden fields for tracking, login, pricing, etc..
information on a loaded page. While this is a convenient and easy
mechanism for the developer, they often don't validate the information that
is received from the hidden field.
 This lesson will teach the attacker to find and modify hidden fields to
obtain a product for a price other than the price specified.
 To change the hidden field you need to start your favorite HTTP Interceptor.
You can use ZAP from OWASP to intercept the request and change the
hidden field’s price . . .
 Hidden field often stores what database record that needs to be updated
when the form is submitted……
 Flaw: you need to verify hidden field’s price just before updating
database…
 Parameter tampering: Exploit
unchecked email
 It is always a good practice to validate all inputs. Most sites allow non-
authenticated users to send email to a 'friend'.
 This is a great mechanism for spammers to send out email using your
corporate mail server.
 The user should be able to send and unpleasant email message.
 Steps:
 Just put the following message in the comment box and then press send:
<script>alert(‘Attack !’);</script>
 The attack worked! Now try to attack another person than the admin.
 You need to start ZAP and intercept get and post. And hack send this message again to
another person . . . .say: bill.gates@Microsoft.com
Try by yourself
 Concurrency: Thread safety problem
 Web applications can handle many HTTP requests simultaneously.
 Developers often use variables that are not thread safe.
 Thread safety means that the fields of an object or class always maintain a
valid state when used concurrently by multiple threads.
 As all threads share the same method area, and the method area is where all class
variables are stored, multiple threads can attempt to use the same class variables
concurrently.
 Need proper synchronization to avoid race conditions.
 Follow webgoat solution . . . .
 Concurrency: shopping cart
concurrency flaw
 For this exercise, your mission is to exploit the concurrency issue which will
allow you to purchase merchandise for a lower price.
 Open a new browser window on the same page
 In window A you choose a low cost item and click "Purchase".
 In window B you choose a high cost item you want to buy and click "update cart".
 Then Window A, confirm purchase…
Try to purchase for a lower price !
 Because all threads share the same class variables
 Multiple threads can attempt to use the same class variables concurrently.
 Concurrency: shopping cart
concurrency flaw

Before confirm, just update Cart in the right window….